Preview

Forensic Science

Powerful Essays
Open Document
Open Document
2510 Words
Grammar
Grammar
Plagiarism
Plagiarism
Writing
Writing
Score
Score
Forensic Science
Low Down and Dirty: Anti-forensic Rootkits

Presented by Darren Bilby Ruxcon 2006

Copyright Security-Assessment.com 2006

Agenda
• • • • • • • • • • Anti-forensics Overview Digital Forensics Acquisition The Live Imaging Process How Live Forensics Tools Work DDefy Introduction NTFS Basics DDefy Disk Forensics Demonstration DDefy Challenges DDefy Memory Forensics Demonstration Better Methods for Live Imaging

Copyright Security-Assessment.com 2006

This is Not…
• A demonstration of 0day rootkit techniques

This is …
• Showing flaws in current and proposed forensic techniques • Showing how evidence could be manipulated and people wrongly convicted through bad forensic methodologies

Copyright Security-Assessment.com 2006

Digital Anti-forensics

Copyright Security-Assessment.com 2006

Anti-Forensics Methods
• Data Contraception – Prevent evidence data from existing somewhere that can be analyzed – E.g. Memory only malware, memory only exploitation • Data Hiding – Put the data on disk but put it somewhere the forensic analyst is unlikely to look – E.g. Defilers toolkit, runefs,

Copyright Security-Assessment.com 2006

Anti-Forensics Overview
• Data Destruction – Destroy any evidence before someone gets a chance to find it – E.g. Disk wiping, wipe, srm, evidence eliminator, necrofile • Data Misdirection – Provide the forensic analyst false data that is indistinguishable from the real thing – No public examples… until now.

Copyright Security-Assessment.com 2006

Digital Forensics Acquisition
• Need to gather an evidential copy of a system • The Aim – Gather the “best” evidence available

• Gather volatile information – memory, process list, network connections, open files… • Power off machine and image disk

Copyright Security-Assessment.com 2006

Digital Forensics Acquisition
• What really happens… • Two Competing Aims – Gather the “best” evidence available – Allow the system to continue operation in an unhindered manner

You May Also Find These Documents Helpful

  • Powerful Essays

    In this case study I will examine the forensic evidence (limited to the main ballistic evidence), that was presented in the criminal trials and the forensic evidence that was introduced by the prosecution.…

    • 1606 Words
    • 7 Pages
    Powerful Essays
  • Good Essays

    The BTK Killer

    • 654 Words
    • 3 Pages

    In the case of the BTK killer the metadata that the forensic examiner was able to uncover was the fact that the user account of the computer being used was named “Dennis” and it gave specific details about the location of the computer. The computers that were used were identified as one at public library and a computer at the church. All of this information was located in the “properties” section of the document. The details the metadata provided about the church then prompted the investigators to conduct an internet search on church and found that there was a Dennis Raider on staff. Additionally the metadata was able to provide the date the file was created, the date that the file was modified, and the date that the file was printed. Metadata is used in all forms of digital media to include documents, web pages, videos, images and much more. The metadata in this case was created automatically by the Microsoft Office application and was saved even though Dennis Raider deleted the file from the disk.…

    • 654 Words
    • 3 Pages
    Good Essays
  • Good Essays

    Case Project 5-3 & 5-5

    • 865 Words
    • 4 Pages

    Under the silver platter doctrine, evidence obtained by state agents in an unreasonable search and seizure was admissible in a federal criminal trial, where no federal agent participated in a search and seizure and the state officers did not act solely on behalf of the United States (Hills, 1999). Simply put, federal officers cannot allow state police to do the dirty work, and then claim that they did not violate search and seizure rights. By analogy, no government agent can stand by, allow a private citizen to violate search and seizure strictures on the government 's behalf, and then claim innocence as to the violation (Hills, 1999).…

    • 865 Words
    • 4 Pages
    Good Essays
  • Satisfactory Essays

    Forensic Science Unit 4

    • 391 Words
    • 2 Pages

    Out of the types of evidence discussed in this unit, which one do you think is the most important piece of evidence? Why?…

    • 391 Words
    • 2 Pages
    Satisfactory Essays
  • Satisfactory Essays

    Lab 1

    • 414 Words
    • 2 Pages

    2. Which items within WinAudit’s initial report would you consider to be of critical importance in a computer forensic investigation?…

    • 414 Words
    • 2 Pages
    Satisfactory Essays
  • Satisfactory Essays

    Forensic Science 1.06

    • 658 Words
    • 2 Pages

    2. Why do you think forensic science has been increasingly used by the criminal justice system?…

    • 658 Words
    • 2 Pages
    Satisfactory Essays
  • Good Essays

    Forensic Science

    • 567 Words
    • 3 Pages

    preserving soil samples, if soil is found on the bottom of a shoe for example…

    • 567 Words
    • 3 Pages
    Good Essays
  • Satisfactory Essays

    forensic science

    • 318 Words
    • 2 Pages

    What characteristics do substances often have that make them attractive as a poison when someone wants to intentionally harm another person?…

    • 318 Words
    • 2 Pages
    Satisfactory Essays
  • Good Essays

    Since the term anti-forensics appeared, a number of related methods have been proposed. Peron and Legary proposed a four categories anti-forensics approach saying that a criminal or a suspect could use data wiping, data hiding, manipulating or preventing the creation of evidence. Dr Rogers also proposed four categories that are data hiding, artifact wiping, trail obfuscation and attacks against the process/tools.…

    • 128 Words
    • 1 Page
    Good Essays
  • Good Essays

    By using forensics tools you have discovered this file you suspect to be a graphic file even though it is not stored as a standard graphics file, like a JPEG. You must also use tools to recover the graphics file. Since graphic files have headers with instructions on how to display them, the…

    • 686 Words
    • 3 Pages
    Good Essays
  • Satisfactory Essays

    “Data on the computer can be deleted, modified, or destroyed.”(Taylor, Fritsch, Liederbach, Holt, 2012). It is very important for evidence to be collected, preserved, and examined right away. In most cases, 24 hours proves to be too late to recover non-tampered evidence. “Some computers have automatic wiping programs in case a new person touches the wrong key on the keyboard.” (http://www.supremecourt.gov.pk/ijc/Articles/10/2.pdf). Cyber forensics experts requires special tools which will be able to access any data available on the mass storage media including deleted files and data in unallocated disk areas. Although time is of the essence, it is very important that law enforcement agencies follow the search and seizures laws. A warrant must be issued first before any evidence can be gathered, searched, or…

    • 538 Words
    • 3 Pages
    Satisfactory Essays
  • Good Essays

    The success of the digital investigation is dependent on the availability and maintaining the quality of the data being collected. Because the digital evidence that is collected must be presented in its original form to the court for the proof against the crime. In this project one of the methods of digital forensic investigation is discussed which is memory imaging analysis. The analysis of volatile memory image is chosen over…

    • 646 Words
    • 3 Pages
    Good Essays
  • Powerful Essays

    steganography, steganalysis, data hiding, data security, data embedding, stego-objects, watermarking, secret communications, secret messages, hidden messages, hidden channel, covert channel, LSB alterations…

    • 10575 Words
    • 43 Pages
    Powerful Essays
  • Best Essays

    References: [1] Cloud computing: Business benefits with security, governance and assurance perspectives. Technical report, ISACA, 2009. [2] R. A. Bares. Hiding in a virtual world: using unconventionally installed operating systems. In ISI’09: Proceedings of the 2009 IEEE international conference on Intelligence and security informatics, pages 276–284, Piscataway, NJ, USA, 2009. IEEE Press. [3] D. Barrett and G. Kipper. Virtualization and Forensics: A Digital Forensic Investigator’s Guide to Virtual Environments. Syngress, 6 2010. [4] N. Beebe. Digital forensic research: The good, the bad and the unaddressed. Advances in Digital Forensics V, pages 17–36, 2009. [5] D. Bem. Virtual machine for computer forensics - the open source perspective. In E. Huebner and S. Zanero, editors, Open Source Software for Digital Forensics, pages 25–42. Springer US, 2010. [6] D. Bem and E. Huebner. Computer forensic analysis in a virtual environment. International Journal of Digital Evidence, 6(2), 2007. [7] D. Brezinski and T. Killalea. Guidelines for evidence collection and archiving, 2002. [8] V. Corey, C. Peterman, S. Shearin, M. Greenberg, and J. Van Bokkelen. Network forensics analysis. IEEE Internet Computing, 6(6):60–66, 2002. [9] EC-Council. Computer Forensics: Investigating Network Intrusions and Cyber Crime (Ec-Council Press Series: Computer Forensics). Course Technology, 1 edition, 9 2009. [10] B. Hay and K. Nance. Forensics examination of volatile system data using virtual introspection. SIGOPS Oper. Syst. Rev., 42:74–82, April 2008. [11] A. Juels and B. S. Kaliski. Pors: proofs of retrievability for large files. In In CCS ’07: Proceedings of the 14th ACM conference on Computer and communications security, pages 584–597.…

    • 3967 Words
    • 16 Pages
    Best Essays
  • Good Essays

    Data also can be gathered indirectly, without your knowledge. For example, your travels around a web site can be tracked by a file called…

    • 1301 Words
    • 6 Pages
    Good Essays

Related Topics